FNB gives 22seven the nod

Founder of 22seven, Christo Davel, says the service will explore other options with the other banks.

Controversial personal financial management (PFM) site 22seven has seen its first breakthrough with SA's “big four” banks, which initially met the service's release with substantial resistance.

FNB announced yesterday that it has decided to enable 22seven limited access to its customers' accounts. “We are now providing a secure means to engage with 22seven in response to our customers' need to learn more about their financial behaviour,” says CEO of FNB online banking, Lee-Anne van Zyl, who adds that the move comes after “careful consideration” from the bank's side.

FNB online banking customers can set up a “secondary user” on their profile, which has a more limited functionality and a different user name and password to the primary user profile. “If correctly set up to allow 'view access' only, this will limit the exposure of client information to transaction history, balances and account numbers,” says Van Zyl, adding that, while the secondary user profile does not pose a risk, the onus is ultimately on the client to protect their personal details.

According to 22seven, it was a tweet that initiated talks between the service and FNB. The tweet by @Wallfish, on 28 January, said: “Just got a DM from @MichaelJordaan saying he's happy to meet with #22seven and explore options. Glad to know at least one bank is sane.”

As a result, 22seven CEO Christo Davel called FNB CEO Michael Jordaan the following week to discuss the issue. 22seven says it will also be “exploring other options with all the banks”. While 22seven does not share numbers regarding its registered users, its creators say they have been “overwhelmed by the response”.

22seven says the use of secondary user profiles will not impact the effectiveness of the service: “22seven is a read-only service. It gives customers a view of their financial behaviour and does not enable any transactions, so secondary user functionality will not limit our customers' experience of the service at all.”

Following FNB's repositioning on the matter, Absa has released a statement reiterating its position saying that “under no circumstances” should its customers divulge their sensitive personal information to any third party. Absa initially blocked 22seven's financial aggregating partner, Yodlee, from accessing its clients' information.

Absa's head of digital banking services, Christo Vrey, says: “Our stance on third-party PFM services that request users divulge sensitive details will remain consistent with this, until further direction is received from the relevant regulatory and industry bodies.”

However, Vrey adds Absa is open to conversations with any third-party PFM service to “explore collaborative models that do not violate the simple principle of never sharing one's online banking logon credentials with any third party”.

Itumeleng Monale, director of self-service banking at Standard Bank, says the bank will not support the disclosing of any banking logon credentials to third parties, “especially in the case where those third parties have not engaged with the bank in detail to ensure alignment of security standards”. She says, however, that engagements with the technology service providers for 22seven are being arranged to “understand their environments and assess the potential risk to customers”.

Nedbank did not respond to questions from ITWeb by the time of publication.

New media lawyer Paul Jacobson says that, while the move by FNB is a positive one, a potential risk still hangs over a third party being given access to sensitive financial information, not insofar as transactional capability goes, but in terms of a breach of confidentiality and privacy.

He says that, while it is unlikely 22seven would contravene the trust imparted to it by its clients, one must consider that, in the wrong hands, financial credentials could be exposed, “the stuff nightmares are made of”.

Jacobson says that, if banks were serious about facilitating the service for clients, he would have expected to see the institution of an application programming interface, which would mean clients do not give over their credentials as such, but rather allow limited access to information.

“The fact that it hasn't happened yet suggests that banks are more concerned with showing users how to limit their risk, rather than providing a solution that would preclude it,” says Jacobson.

He says by signing up to the third-party financial service provider and granting it the scope of access that is set out in the terms of service, one is acting on a basis substantially steeped in trust. The problem, says Jacobson, is that users become lax about giving out personal details after a while and he warns that “one day it could go bad”.

“Unless banks offer the capability to limit access from a third party provider to one's details, I would think very carefully before using such services. On one hand, 22seven is new and still has to prove itself and then there is the likelihood that other such services will start to emerge, increasing the potential for breach of confidentiality. We must be careful that we don't become blasé about these things.”